Posts tagged rights management

First, a little background information about Adobe LiveCycle

Adobe LiveCycle is an enterprise suite of server based software products that are meant to help structure business processes. One of its key features is the ability to protect a document (of the following types PDF, Microsoft Word, Microsoft Excel, Microsoft PowerPoint, text, and more!) with a policy to restrict access to a subset of users. Adobe LiveCycle offers this ability through one of its components called, Rights Management.

After a certain point large organizations or organizations that have been using Adobe LiveCycle for an extended period of time may accumulate a significant number of policies and documents, these can become tiresome to manage through the web interface for the Rights Management component of LiveCycle. Users of LiveCycle can also fall into performing the same action over and over, such as protecting documents with the same policy again and again. What if there was a programmatic way to apply these policies to new documents? What if there was a programmatic way to use a policy from one document in another? What if there was a programmatic way to manage these?

When we meet with companies we get a substantial number of questions about how to protect digital content. Adobe has at least 2 offerings in the Digital Rights Management space, Adobe Content Server and Adobe LiveCycle Rights Management. These products both fall into the DRM category, but they solve very different problems for very different markets. This article will discuss the capabilities and licensing of each and what problems they are targeted at solving.

This product, also known as ACS, is capable of securing content in the ePub and PDF file formats. The product is sold by Adobe partners as a server license, and there are transaction charges incurred for each individual content license granted.

The target market for this offering is eBook or other digital content distributors such as Sony, Kobo, Barnes & Noble or Google. Content is licensed on a one to one basis and rights are applied at the time a specific item is purchased. More specifically, content is licensed to an individual with a specific Adobe ID or Vendor ID, and may not be consumed on reading devices that are not registered with that ID. ACS provides granular control over the rights that may be granted with each content license. For example a book store may sell a popular title for one price with the rights to read it on multiple devices, re-download it a future date and print a range of pages, and may also have the same book listed at a different price with more restrictive rights. Once rights are applied, generally at purchase time, these rights cannot be modified or revoked.

If you are using LiveCycle RightsManagement ES2 SP2 (9.0.0.2) to apply policies to documents, and you have selected the option “Encrypt all document contents except metadata” in the policy, you will notice that the metadata is encrypted by mistake.

The option to omit the metadata from encryption can be configured when creating the policy as described below (Unchangeable Advanced Settings > Document Restrictions):

We are pleased to announce the release of Adobe LiveCycle Enterprise Suite 3 (ES3). LiveCycle ES3 contains the document and data services capabilities, including electronic forms and business processes, which were formerly part of the Adobe Digital Enterprise Platform (ADEP), a brand that is being retired.

The new LiveCycle ES3 release incorporates:

Document services capabilities available with ADEP and the recent ADEP Document Services service pack 1

LiveCycle Data Services 4.6.1

Updates to LiveCycle Connectors for Microsoft® SharePoint® and IBM® FileNet

LiveCycle offers a number of components that help extend the value of existing back-end systems by better engaging users, streamlining processes, managing correspondence, and strengthening security.

There is a confusion about what features of Acrobat and PDFs in general offer by way of securing documents. I would like to do a very cursory overview of the items that I have so far seen users consider “security.”

To be clear, by “security” I mean the ability or inability to access the contents of the PDF, thus safeguarding information from entering the wrong hands.

1) Not Security-Oriented

a) Watermarks

Unlike on your Dollar, Euro or Pound notes (etc), the watermark is NOT a guarantee of integrity, veracity or anything at all.

In the PDF world, a visible watermark only exists as a notification mechanism. If a watermark says “Confidential,” it is only warning the viewer that the content is confidential, but will not otherwise try to make itself indelible.

It is meant to be a very visible mark on the page, with the added property of not completely obfuscation the items underneath (allowing readability to be maintained)

b) Certification

A Certified PDF carries a digital signature certifying that certain things can and cannot be done with it. Namely:

-A PDF certified to run privileged scripts can run scripts requiring special privileges, such as writing to the hard drive.
-A PDF certified to be unmodified means that so long as the PDF has been modified withing given parameters (fields filled in for example), then the certification will hold. If a visual aspect of the PDF changes though, the certification will be broken, and Acrobat will report an error.

Certification covers a number of other use cases as well, but I hope the above illustrates sufficiently why this is a not a security-related item, rather a usability concern.

c) Reader Extensions Usage Rights

Acrobat and LiveCycle can extend the usability of PDFs to Adobe Reader, the free PDF viewing application. By extending usability features, you can allow Reader users to fill in forms and save that content, add comment annotation, and other functionality.

However, if the same extended form is opened in Acrobat, the user can do to the PDF pretty much anything that Acrobat has at its disposition.

REUR adds functionality to Reader. Any extra functionality it does not add is a restriction that Reader already had.

2) Security-Oriented

a) Password Protection

Using password protection, you can encrypt the PDF so it can only be opened by a person who has the password. You can also prevent the PDF from being used in certain ways, such as modifying the pages.

You cannot however track who has opened the PDF, when and at what IP. That is the domain of Rights Management.

b) LiveCycle Rights Management (aka Policy Server)

LiveCycle 7 introduced Policy Server, later renamed to LiveCycle Rights Management. Adobe LiveCycle/ADEP Rights Management protects your documents from being accessed by parties you have not authorized to do so.

This allows the document publisher to:
-protect with a user ID/password combination
-force the identification to go to a remote server
-restrict usage rights depending on the user’s group

There is a confusion about what features of Acrobat and PDFs in general offer by way of securing documents. I would like to do a very cursory overview of the items that I have so far seen users consider “security.”
To be clear, by “security” I mean the ability or inability to access the contents of the PDF, thus safeguarding information from entering the wrong hands.

I’m starting a new hands on series for LiveCycle called appropriately: Hands On LiveCycle. This series will give you a complete and working sample LCA (LiveCycle Archive) file that you can import and run on your LiveCycle server. These hands on entries will attempt to solve a real world problem and will start out simple and continue to grow in complexity. If you have a suggestion for a hands on entry you would like to see feel free to let me know!

I’m kicking the series off with a problem that something that most consumers and agencies can relate to. How to handle a form that requires a wet signature, or an actual physical signature on the document.
In a perfect world everyone would accept a digital signature and all forms would be able to be submitted online. However, we don’t live in a perfect world and a good number of companies and government agencies still require a wet signature on a document or form to do business. If you wanted to fill out a form for a financial service or a government request the typical process today might go something like this:

Download the document

Print the document

Fill out the document

Sign the document

Mail the document

Once the document is in the mail the process continues:

Receive the document

Key in the data in the document to the database

Store the document on the server

There are quite a few things that can go wrong with this human centric process. The document could get lost in the mail, the user could fat finger the data, causing delays, or the document could be stored in the wrong place. There are several ways that this process can be improved, just by using LiveCycle Reader Extensions, the LiveCycle Foundation Services and the free Adobe Reader (Barcoded Forms is now included with the LiveCycle Reader Extensions service) Using LiveCycle Reader Extensions allows you to automate several pieces of this process and in some cases more, depending on how a company or agency is willing to accept the form.

For this LiveCycle Hands On, it is assumed that the document will be filled out, printed, signed and mailed in by the applicant. Once the document arrives at the agency, it will be scanned and placed in a folder that is watched by LiveCycle. Once LiveCycle sees the document in the folder it will be processed, the applicant data will be stored in a database and the document will be written to the file system.

This process could be made even faster by removing the snail mail portion if the agency was willing to accept a document by email. If so, the applicant could scan the document themselves, attach it to an email and send it to an email address that LiveCycle monitors. Also, with the use of Reader Extensions, the user can now save a copy of the completed form to their hard drive.

The zip file for this hands on has a .lca file containing a form, some sample data and a process as well as a sample filled out form and a SQL script to create the demo table. The SQL Script should be run on the server that is hosting the LiveCycle Database and should use the adobe schema. The form will work either as the PDF file included, or if the form is printed out and scanned. LiveCycle is able to decode the information from the barcode either way.

The Barcoded Form Demo Process:

The process is broken down below into steps and the operations used.

LiveCycle recieves a document from the watched folder to start the process

LiveCycle extracts the data from the barcode and adds it to a XML variable. Operation: Decode Category: Barcoded Forms

LiveCycle extracts the XML form data from the barcode data and stores it in an XML list variable. Category: Extract To XML Service: Barcoded Forms

LiveCycle sets the form data to the first element of the XML list variable. Operation: Set Value Category: Foundation

Disease:Typically LiveCycle Rights Management (a.k.a. Policy) protected documents use a userid/password mechanism for authenticating towards the policy server, and consequently open the protected document. A more secure way of authentication can be obtained by using client certificates. A real strong way of authentication can be accomplished when the authentication certificate resides on a smartcard, protected by a PIN code. The authentication certificate on the Belgian eid card is such an example. How can that be used to authenticate towards a Policy protected document?

Prescription:
To achieve this follow these steps:
1) First of all the authentication certificate must be known/registered/uploaded to the LiveCycle server. Open the adminui –> Settings –> Trust Store Management –> Certificates.
When importing the .cer file, specify that you want to trust the certificate for “Certificate Authentication”, and provide an alias.

2) Next this certificate must be mapped to an existing user in LiveCycle.
Open the adminui –> Settings –> User Management –> Configuration –> Certificate mapping.
The mapping between a certificate and a user is done for a defined alias, and is accomplished by mapping a certificate attribute (Mail, CN, DN,… ) to a user property (Full Name, Given Name, Mail, login ID, …).

In the case of the Belgian eid card the CN on the authentication certificate contains also the word “Authentication”. In my case my CN = Peter Schellemans (Authentication). So in order to get a working certificate mapping towards an existing user, make sure you have a user with a similar Full Name. In my case I have a user (adminui –> Settings –> User Management –> Users and Groups) with First Name = Peter, Last Name = Schellemans (Authentication).

3) Next add this user as part of your Policy. When opening the policy protected document you will now get the choice between userid/password authentication and client certificate authentication.

Tip to stay healthy:
If you want a higher level of security when authenticating towards a policy protected document, Adobe LiveCycle allows you to map certificates towards users, used in a policy definition.

—-
Original article at http://www.drflex.eu/2009/01/using-the-belgian-eid-card-for-accessing-a-livecycle-rights-management-protected-document/?utm_source=rss&utm_medium=rss&utm_campaign=using-the-belgian-eid-card-for-accessing-a-livecycle-rights-management-protected-document.

Having co-authored a book for O’Reilly titled “Web 2.0 Architectures”, which largely focuses on patterns of things deemed to be “web 2.0″, I have turned my mind towards specializing many of these towards government.

The scope for this work would be IT systems that provide services to citizens. There are several concepts that seem to be no-brainers when you look at them at a high level. However, there may be red tape or other legislative or legal reasons why they cannot be simplified.

A white paper is in order, however here are some preliminary thoughts:

1. Please don’t ask me for information you already have! Governments should avoid asking their users for information they already have. Practical: I fill out income tax forms every year in which I have to enter data that is used to calculate my personal taxes. The reality is that my government already has most if not all of this information. My employer has to file my income with them, charities already have filed copies of receipts and the government knows exactly how much money they have deducted already for federal and provincial taxes. Why am I being asked to enter that information into a form again? Perhaps figuring out a confidential way to send me my completed tax return and then allow me to file “adjustments” would be more efficient from a user perspective?

2. Open Data. The Government of Canada has recently made several sets of data open for the people who paid for the data (citizens) to access. (http://www.data.gc.ca/default.asp?lang=En&n=F9B7A1E3-1). I applaud this move and now we have a responsibility to help them specialize the way data is published at the next level.

3. Allowing multiple channels of communication to be reconciled. The Canadian government again had a great program for electronic passport applications and renewals, which reconciled electronic forms data and “in person” interviews. More government departments need to be savvy and adopt this sort of system.

4. Use of Social Media! I’ve seen some government departments shun social media. Sometimes this is based on a fear or perception that the conversations will be antagonistic towards their department. Guess what? It is far better to be part of a conversation than to be defined by it. Get over your fears and get involved with social media. Use it as a tool to figure out where the common practices are that annoy end users and how to best fix them. Find out what is working well and what is not. Find out what the public does not know and use social media to help convey solutions to us. Use social media to get citizen input and ideas. Vancouver City council has done this! (http://talkgreenvancouver.ca/). This involves letting go of ego and recognizing that good ideas can come from anyone.

5. Electronic records. The Ministry of Health in BC has started moving to EMR (Electronic Medical Records). This is a huge step in the right direction. I trust this far more than having all my records sitting in a single doctor’s office in paper format.

6. Use SOA! Services to citizens are core. If you can take services and allow 3rd parties to provide them, this could make all our lives simpler. With this comes great responsibility for things such as ensuring records are not breached or files compromised, however I believe this can be done in a manner that serves the greater public interest. The use of services could be applied to many contexts including Government to Government, Government to Citizen and Government to Industry (Business).

7. Protect my data! Please take steps to protect my personal data from hackers or accidental leaks. Adobe makes a great product called “Rights Management” (part of the LiveCycle ES platform), which can mitigate the impact of disasters, even after they have occurred.

8. Use technology to become more open and transparent. Allow the decisions made, data available and rationale being closed voting to be publicly accessible. This would be easy to implement by using a Robert’s Rules XML schema to mark up data that would allow anyone to find out who attended meetings, who voted on various topics, and categories and more. The public would love it more than finding out later or worse, being critical based on false beliefs. Transparency should be a cornerstone. Isn’t this what democracy is all about anyways?

9. Accessibility by Joe Average. Typically, access to senators, heads of state and other high ranking public officials has been perceived as impossible for the average person. Using the collaboration tools available via the Internet, governments can easily allow citizens to have better access to information and individuals charged with the fiduciary duties of public office or as public servants. Products like Adobe Acrobat Connect could be used to have a citizens briefing once a week to allow individuals a platform to engage with government on various topics. Obviously this wouldn’t work in a general setting (e.g.: Obama allows any citizen to discuss any topic), however scoping this to narrow issues such as local municipal politic issues could have a huge impact.

Anyways, these are some initial ideas I had. If you think they are bunk or have others, please leave a comment.